package co.lq.modules.security.config;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import co.lq.annotation.AnonymousAccess;
import co.lq.modules.security.security.JwtAccessDeniedHandler;
import co.lq.modules.security.security.JwtAuthenticationEntryPoint;
import co.lq.modules.security.security.TokenConfigurer;
import co.lq.modules.security.security.TokenProvider;

/**
 * @author billy
 * @date 2020/01/12
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final TokenProvider               tokenProvider;
    private final CorsFilter                  corsFilter;
    private final JwtAuthenticationEntryPoint authenticationErrorHandler;
    private final JwtAccessDeniedHandler      jwtAccessDeniedHandler;
    private final ApplicationContext          applicationContext;

    public SecurityConfig(TokenProvider tokenProvider, CorsFilter corsFilter,
                          JwtAuthenticationEntryPoint authenticationErrorHandler,
                          JwtAccessDeniedHandler jwtAccessDeniedHandler, ApplicationContext applicationContext) {
        this.tokenProvider = tokenProvider;
        this.corsFilter = corsFilter;
        this.authenticationErrorHandler = authenticationErrorHandler;
        this.jwtAccessDeniedHandler = jwtAccessDeniedHandler;
        this.applicationContext = applicationContext;
    }

    @Bean
    GrantedAuthorityDefaults grantedAuthorityDefaults() {
        // 去除 ROLE_ 前缀
        return new GrantedAuthorityDefaults("");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        // 密码加密方式
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        // 搜寻匿名标记 url： @AnonymousAccess
        Map<RequestMappingInfo, HandlerMethod> handlerMethodMap = applicationContext
                .getBean(RequestMappingHandlerMapping.class)
                .getHandlerMethods();

        Set<String> anonymousUrls = new HashSet<>();
        for (Map.Entry<RequestMappingInfo, HandlerMethod> infoEntry : handlerMethodMap.entrySet()) {
            HandlerMethod handlerMethod = infoEntry.getValue();
            RequestMappingInfo requestMappingInfo = infoEntry.getKey();

            AnonymousAccess anonymousAccess = handlerMethod.getMethodAnnotation(AnonymousAccess.class);
            if (null != anonymousAccess) {
                Set<String> strings = infoEntry.getKey().getPatternsCondition().getPatterns();
                if (strings.size() == 1) {
                    String[] arr = strings.toArray((new String[0]));
                    if (requestMappingInfo.getMethodsCondition().getMethods().contains(RequestMethod.GET)) {
                        String newUrl = arr[0] + "/**";
                        List<String> list = Arrays.asList(new String[] { newUrl });
                        Set<String> sSet = new HashSet<>(list);
                        anonymousUrls.addAll(sSet);
                        continue;
                    }
                }

                anonymousUrls.addAll(infoEntry.getKey().getPatternsCondition().getPatterns());
            }
        }

        httpSecurity
                // 禁用 CSRF
                .csrf()
                .disable()
                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
                // 授权异常
                .exceptionHandling()
                .authenticationEntryPoint(authenticationErrorHandler)
                .accessDeniedHandler(jwtAccessDeniedHandler)

                // 防止iframe 造成跨域
                .and()
                .headers()
                .frameOptions()
                .disable()

                // 不创建会话
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()
                .authorizeRequests()
                // 静态资源等等
                .antMatchers(HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/webSocket/**")
                .permitAll()
                // swagger 文档
                .antMatchers("/swagger-ui.html")
                .permitAll()
                .antMatchers("/swagger-resources/**")
                .permitAll()
                .antMatchers("/webjars/**")
                .permitAll()
                .antMatchers("/*/api-docs")
                .permitAll()
                // 文件
                .antMatchers("/avatar/**")
                .permitAll()
                .antMatchers("/file/**")
                .permitAll()
                // 阿里巴巴 druid
                .antMatchers("/druid/**")
                .permitAll()
                // 放行OPTIONS请求
                .antMatchers(HttpMethod.OPTIONS, "/**")
                .permitAll()

                // 自定义匿名访问所有url放行 ： 允许匿名和带权限以及登录用户访问
                .antMatchers(anonymousUrls.toArray(new String[0]))
                .permitAll()
                // 所有请求都需要认证
                .anyRequest()
                .authenticated()
                .and()
                .apply(securityConfigurerAdapter());
    }

    private TokenConfigurer securityConfigurerAdapter() {
        return new TokenConfigurer(tokenProvider);
    }
}
